Skill

jwt-auth

Configure JWT Bearer authentication with Keycloak for affolterNET.Web.Api. Use when setting up token validation, Keycloak integration, or API authentication.

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/affolternet-web-api:jwt-auth

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Configure JWT Bearer authentication with Keycloak integration.

SKILL.md

94 lines · ~590 tokens

Stats

Parent stars0

MaintenanceFair

Last CommitJan 6, 2026

Actions

View Source View Plugin View on GitHub View README

Stats

Actions

JWT Bearer Authentication

Configure JWT Bearer authentication with Keycloak integration.

For complete reference, see Library Guide.

Quick Start

appsettings.json

{
  "affolterNET": {
    "Web": {
      "Auth": {
        "Provider": {
          "Authority": "https://keycloak.example.com/realms/myrealm",
          "ClientId": "my-api-client",
          "ClientSecret": "your-client-secret"
        }
      }
    }
  }
}

Program.cs

var options = builder.Services.AddApiServices(isDev, builder.Configuration, opts => {
    opts.ConfigureApi = api => {
        api.AuthMode = AuthenticationMode.Authenticate;
    };
});

Authentication Modes

Mode	Description
`None`	No authentication required
`Authenticate`	Valid JWT required, no permission checks
`Authorize`	Valid JWT + Keycloak RPT permissions required

Configuration Options

AuthProviderOptions

Property	Description
`Authority`	Keycloak realm URL
`ClientId`	OIDC client identifier
`ClientSecret`	OIDC client secret
`Audience`	Expected JWT audience (optional)

Permission-Based Authorization

When using AuthenticationMode.Authorize:

[Authorize(Policy = "admin-resource")]
[HttpGet("admin")]
public IActionResult AdminOnly() { ... }

// Multiple permissions (comma-separated, any match)
[Authorize(Policy = "resource1,resource2")]
[HttpGet("multi")]
public IActionResult MultiPermission() { ... }

Claims Enrichment

The API automatically enriches claims with:

Standard JWT claims
Aggregated roles from ClaimTypes.Role and "roles" claims
Permissions from RPT tokens (when AuthMode is Authorize)

Troubleshooting

Token validation fails

Verify Authority URL is correct and accessible
Check that ClientId matches the Keycloak client
Ensure the JWT audience matches if configured

Permissions not recognized

Confirm AuthMode is set to Authorize
Verify Keycloak client has authorization services enabled
Check that resources and policies are configured in Keycloak

jwt-auth

Invocation

Context Preview

SKILL.md

jwt-auth

Invocation

Context Preview

SKILL.md

JWT Bearer Authentication

Quick Start

appsettings.json

Program.cs

Authentication Modes

Configuration Options

AuthProviderOptions

Permission-Based Authorization

Claims Enrichment

Troubleshooting

Token validation fails

Permissions not recognized

Similar Skills

JWT Bearer Authentication

Quick Start

appsettings.json

Program.cs

Authentication Modes

Configuration Options

AuthProviderOptions

Permission-Based Authorization

Claims Enrichment

Troubleshooting

Token validation fails

Permissions not recognized

Similar Skills